Name: AdminSDHolder security descriptor changed 

Scope: Active Directory

Every hour, the domain controller that holds the primary domain controller (PDC) Flexible Single Master Operation (FSMO) role compares the ACL on all security principal accounts (users, groups, and machine accounts) present for its domain in Active Directory and that are in administrative or security-sensitive groups and which have AdminCount attribute = 1 against the ACL on the AdminSDHolder object.

If the ACL on the principal account differs from the ACL on the AdminSDHolder object, then the ACL on the principal account is reset to match the ACL on the AdminSDHolder object and this event is generated.

That means if an administrator sees inappropriate permission on a protected object and removes it, within an hour those permissions will be put back in place by SDProp. 

Described behaviour opens a potential attack path. An attacker might modify permissions on the AdminSDHolder object so those permissions will automatically be applied to all protected objects. This gives an attacker a way to create persistent access to privileged accounts within the domain.

Name: AD Administrators Group membership changed

Scope: Active Directory

"Privileged" groups in Active Directory are those to which powerful rights, privileges, and permissions are granted that allow them to perform nearly any action in Active Directory and on domain-joined systems. A new account added to such a powerful group can impose a risk.

Name: Azure AD Global Administrator role membership changed

Scope: Azure AD

Global Administrator can manage all aspects of Azure AD and Microsoft services that use Azure AD identities. A new account added to such a powerful role can impose a risk.

Name: Azure AD Global Administrator elevated access to Azure Resources

Scope: Azure 

By default, a user with a Global Administrator role doesn’t have access to Azure resources. Azure AD and Azure resources are secured independently from one another.

There are some scenarios mentioned by Microsoft where a user with a Global Administrator role requires access to Azure resources:

• Regain access to an Azure subscription or management group when a user has lost access

• Grant another user or yourself access to an Azure subscription or management group

• See all Azure subscriptions or management groups in an organization

• Allow an automation app (such as an invoicing or auditing app) to access all Azure subscriptions or management groups

Any Global Administrator can assign himself a User Access Administrator role in Azure at the root scope (/).  

This elevated role allows a user with a Global Administrator role getting access to any subscription or management group in the directory. 

Name: Guest user added to group

Scope: Azure AD

With External Identities previously known as Guests in Azure AD, you can allow people outside your organization to access your apps and resources while letting them sign in using whatever identity they prefer. Some groups might have access to sensitive data and it is important to monitor guest accounts that are added to such a group.

Name: New Guest user created

Scope: Azure AD

With External Identities previously known as Guests in Azure AD, you can allow people outside your organization to access your apps and resources while letting them sign in using whatever identity they prefer. Depending on Azure AD settings member user can invite guest users into the directory and guest user might get access to sensitive data. 

Name: Full access permission added for Exchange mailbox

Scope: Exchange Online

In Exchange Online, you can use the Exchange admin center (EAC) or Exchange Online PowerShell to assign permissions to a mailbox or group so that other users can access the mailbox (the Full Access permission), or send email messages that appear to come from the mailbox or group (the Send As or Send on Behalf permissions). The users that are assigned these permissions on other mailboxes or groups are called delegates.

Such delegation might impose a risk of exposing sensitive data.

Name: SendAs access permission added for Exchange mailbox

Scope: Exchange Online

Name: Full access permission added for Exchange mailbox

Scope: Exchange Online

Name: Forwarding rule added for Exchange mailbox

Scope: Exchange Online

As an admin, you might have company requirements to restrict or control automatically forwarded messages to external recipients (recipients outside of your organization). Email forwarding can be a useful, but can also pose a security risk due to the potential disclosure of information. Attackers might use this information to attack your organization or partners.